The Schrems II decision is having a seismic impact on organizations’ data transfer practices months after being delivered by the Court of Justice of the European Union (CJEU). While the case itself was limited to considering EU-U.S. data transfer mechanisms, the effects of the decision have quickly turned out to be wider reaching. In light of the uncertainties and confusion arising out of this decision, three documents issued by the European authorities – the Supplementary Measures Recommendations, the Essential Guarantees and the New SCCs (all introduced below) – will likely be welcome news to organizations that have struggled since July to interpret the CJEU’s ruling and implement it in a meaningful and practical way.
But we are not there yet; the Supplementary Measures Recommendations and the New SCCs, in particular, are not quite the pragmatic and actionable guidance that the privacy community was seeking. It is hoped that the drafts of these two documents will evolve during the consultation process and provide more practical solutions than their current versions. (Readers should note that the public consultation for the Supplementary Measures Recommendations is open until December 21, 2020; however, the consultation for the New SCCs is now closed.)
As a reminder, the Schrems II decision (i) invalidated the EU-U.S. Privacy Shield and (ii) added a new burden on organizations to assess (prior to transfer) whether a third country provides an adequate level of protection for personal information. The CJEU, however, did not give any practical insight as to how organizations should carry out an assessment of third country adequacy or what kind of supplemental measures they should consider to validate their data transfers.
With businesses facing a risk of noncompliance simply because of the uncertainties that the Schrems II decision creates, the EU authorities have finally stepped in with much-needed documents:
We provide below a summary of key takeaways from the:
The Supplementary Measures Recommendations set out a six-step plan for organizations exporting data outside the EEA (“data exporters”) to follow when transferring personal information to organizations in a non-EEA country (“data importers”).
The concepts within the Supplementary Measures Recommendations are useful starting points. As currently drafted, however, they lack proportionality and practicality. The process for implementing supplemental measures would greatly benefit from a more risk-based approach. For example, the EDPB’s current draft suggests that certain supplementary measures must be implemented in order to transfer any personal information without regard to the sensitivity of the information or, most significantly, the risks to the rights and freedoms of the individuals.
Furthermore, under Step 3, the burden on organizations of assessing a country’s level of adequacy remains significant, even though the EDPB suggests that data importers assist with the assessment and provides a shortlist of the sources of law that might be consulted. The risk is that organizations are likely to each make different and inconsistent assessments of adequacy for the same countries. This could in turn lead to unwanted fragmentation—something that the GDPR was designed to overcome. It will be interesting to see whether the finalized version of the Supplementary Measures Recommendations changes in this area.
The EDPB has also updated its Essential Guarantees to help organizations assess third countries’ surveillance measures and legal frameworks. The four Essential Guarantees are:
A. Processing of personal information should be based on clear, precise, and accessible rules. Which category of individuals is subject to surveillance? Is there a limitation on the duration of the surveillance measures? Are the necessary safeguards in place? Surveillance measures should not be arbitrarily applied to individuals.
B. Any limitations imposed on individuals’ rights and freedoms as a result of surveillance measures must be necessary and proportionate. For example, is surveillance limited to situations where there is a genuine or present threat to national security?
C. Any interference in the right to privacy should be subject to an independent oversight mechanism. This oversight can be either by a judge or by another entity that is sufficiently independent from political pressures and can be publicly scrutinized.
D. Individuals should have access to effective remedies. This means that individuals should have the opportunity to bring legal action before an independent and impartial court, either to gain access to their personal information or ask for rectification/deletion of their information. In addition, third countries’ laws should give courts/tribunals the power to pass decisions that are binding on public authorities (including intelligence services).
The Essential Guarantees provide organizations with itemized criteria to help assess a third country’s level of data protection. At the same time, they suffer from the same overarching issue that challenges the Supplementary Measures Recommendations; it is inherently inefficient and unreasonable to expect every organization to independently assess third countries’ laws. Moreover, this approach will likely result in diverging and inconsistent assessments for the same countries.
Notably, the assessment framework in the Essential Guarantees is the same as the one that the European Commission is required to apply in the context of an adequacy decision. This raises a valid question: Should the European Commission guide the analysis for each third country’s adequacy, rather than leaving the assessment to individual organizations?
The New SCCs are a long-awaited and much-needed development; the existing SCCs date back to the pre-GDPR era of 2004 and 2010. While it has been working on updating the existing SCCs for a while now, the European Commission delayed publication pending the Schrems II decision in order to take the CJEU’s ruling into account in the New SCCs.
Under the current proposal, organizations will be required to replace all of their existing SCCs with the New SCCs within one year following adoption of the New SCCs. This tight transitional period could create substantial problems for organizations. For many, this will mean having to address hundreds if not thousands of agreements in need of remediation, potentially re-opening entire relationships to more negotiations, all within one year. This is a major departure from the approach that the European Commission took when it issued the current controller-processor SCCs in 2010; organizations were then allowed to continue relying on the previous version SCCs that were already concluded, provided that the subject matter remained unchanged. Hopefully, the European Commission will choose to apply the same approach again and not insist on a period that would impose unnecessary burden and cost on organizations.
The key changes proposed under the New SCCs include:
It is important to be aware that the New SCCs impose a number of additional obligations on data importers that go well beyond the GDPR’s requirements. For example:
Nobody would dispute that 2020 has been a turbulent year for international data transfers, compounded by the COVID-19 pandemic placing additional burdens on organizations’ privacy and data protection compliance practices. While the guidance and New SCCs are a step in the right direction, they do not provide all of the answers. Organizations should be prepared for all of work that will be required for their data transfer compliance programs next year. We will keep you informed as the situation develops.